Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
21-12-2023 02:25
Static task
static1
Behavioral task
behavioral1
Sample
Ghost Hunter Vena_d-34UG1.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Ghost Hunter Vena_d-34UG1.exe
Resource
win10v2004-20231215-en
General
-
Target
Ghost Hunter Vena_d-34UG1.exe
-
Size
10.5MB
-
MD5
7c3cdfd4ec2ef7074aa6cba65aedec95
-
SHA1
b248fdaf6f4bdcb0c470059065069c931c9b6362
-
SHA256
6dea57ecfe1a092b1c434f571276426140f18b514b79128f8daee7d61cd85c63
-
SHA512
c40ba8d6663ea6a3e9125d8bcdb2cae8fc34cfc9d6b70746769d7c0921176f21a881f85a91f6f6280f7ddacd654d7ae394de01718a8210968ed8cafe2f82de52
-
SSDEEP
12288:fuI/t26BoC4OIrOdSj5KFbkj2jUUDJLLUp+ezD3iH:TuOdSf2IKRU
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
HEUNTBQ.exepid process 2452 HEUNTBQ.exe -
Loads dropped DLL 5 IoCs
Processes:
Ghost Hunter Vena_d-34UG1.exeWerFault.exepid process 2164 Ghost Hunter Vena_d-34UG1.exe 2164 Ghost Hunter Vena_d-34UG1.exe 2732 WerFault.exe 2732 WerFault.exe 2732 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2732 2452 WerFault.exe HEUNTBQ.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Ghost Hunter Vena_d-34UG1.exeHEUNTBQ.exedescription pid process target process PID 2164 wrote to memory of 2452 2164 Ghost Hunter Vena_d-34UG1.exe HEUNTBQ.exe PID 2164 wrote to memory of 2452 2164 Ghost Hunter Vena_d-34UG1.exe HEUNTBQ.exe PID 2164 wrote to memory of 2452 2164 Ghost Hunter Vena_d-34UG1.exe HEUNTBQ.exe PID 2164 wrote to memory of 2452 2164 Ghost Hunter Vena_d-34UG1.exe HEUNTBQ.exe PID 2452 wrote to memory of 2732 2452 HEUNTBQ.exe WerFault.exe PID 2452 wrote to memory of 2732 2452 HEUNTBQ.exe WerFault.exe PID 2452 wrote to memory of 2732 2452 HEUNTBQ.exe WerFault.exe PID 2452 wrote to memory of 2732 2452 HEUNTBQ.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ghost Hunter Vena_d-34UG1.exe"C:\Users\Admin\AppData\Local\Temp\Ghost Hunter Vena_d-34UG1.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\HEUNTBQ.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\HEUNTBQ.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 8563⤵
- Loads dropped DLL
- Program crash
PID:2732
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\HEUNTBQ.exe
Filesize56KB
MD51a8df2c3af9622f4a0789b8552d89c37
SHA1f1d33ddab47c608301f09a315ef140ee58768958
SHA256b125619780db3e28323eaeabd90b2dcc77173d36ebd512adc1315979d7f74936
SHA5122ffce98d87bf67042b50f9299a6ec5b877c5c4e85b2563747a7c36833b8a9895564a5dc8bad3310d15cfafab4201bd29fbb4755373d6534ce1d45aaa6d53b766
-
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\HEUNTBQ.exe
Filesize97KB
MD53e8964475737cb565a114fac924d4a75
SHA18e5a1e9f512d0db67e2c6bbe9be11d8f76940bc0
SHA2566922af9143aa1cce8ab2d1acaa73abbb1495e95856dd58766d73a703e6e2b282
SHA512012977ebdfb327def1951d51cb3a777270bcbbe187b8a86015dcf963dadc5d88257125f3db764e590c272b27e4209a5218f5055aa4528b0c683e1cb8e721fc18
-
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\HEUNTBQ.exe
Filesize9KB
MD5e714944c1aad2c6e0d44055561908c74
SHA1208eb146bfe072cf05a3645a42ab5212954c04c9
SHA256ccd7513157eccae76e150fb8d585cbf8eaaaa1bda04091ef0c23e6c7f144233d
SHA51288997f5ffe1c946d4b91e1c5039df3a7f831ce110d5cb12fc40fefc869d033a0fcfbceea10408d6f5cdf61f6f73ca9d0b6694dcfacda4828a1ea7c5c4854b4c1
-
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\HEUNTBQ.exe
Filesize159KB
MD5c68be1642adc5cb69f48b5a7605984ff
SHA1091f7a33e6e0ddca20b5384d82edcf17feed921b
SHA25626a05a291545b60e2218a663e3c9d629cdd0e076ec8d7adb2ca03cab80d2f3df
SHA5120198b77c624df5639e058e46e92085410bb0f3aca2b45e9ffa9dc26588134755b5e13e213057dd6918f8f2573c214023bd04dc07b68ca329b7e5a440b2f5013f